Analysis of network packets using a generated hash code

ABSTRACT

A technique for analyzing network packets includes receiving, by a network processor, a network packet having a packet header including address and control information. A set of bytes are extracted, using the network processor, from the packet header and a set of input bits for generating a hash code are derived, using the network processor, from the set of bytes. Finally, the hash code is generated using the input bits.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is related to the following commonly assignedpatent applications: U.S. patent application Ser. No. ______ (AttorneyDocket No. FR920100059US1), entitled “COMPACTED BINARY IDENTIFIERGENERATION” by Claude Basso et al.; and U.S. patent application Ser. No.______ (Attorney Docket No. FR920100061US1), entitled “BIDIRECTIONALPACKET FLOW TRANSFORMATION” by Claude Basso et al., all of which werefiled on even data herewith and are incorporated herein by reference intheir entirety for all purposes.

This application claims priority to European Patent Application No.EP10306405, entitled “METHOD FOR GENERATING A HASH CODE IN A NETWORKPROCESSOR, ” filed Dec. 14, 2010, the disclosure of which is herebyincorporated herein by reference in its entirety.

BACKGROUND

1. Field

This disclosure relates generally to analysis of network packets and,more specifically, to analysis of network packets using a generated hashcode.

2. Related Art

A typical network packet includes a packet header that has a definednumber of bytes. Analysis of a packet header has typically been requiredin order to assign a network packet to an appropriate packet flow (i.e.,an appropriate receive or transmit queue). As analysis of an entirepacket header may be time consuming, hash codes (which are usually shortcompared to entire packet headers) of packet headers have been utilizedto reduce analysis time. Reducing the time required to identify a packetflow is even more desirable when multiple packet headers (i.e., a packetheader of a lower layer network packet and a packet header of an upperlayer network packet) have to be analyzed to identify a packet flow. Ingeneral, hash codes may have different lengths depending on processingrequirements and, as such, flexibility in calculating hash functions isusually desirable. The usability of a hash code depends on the entropyof the generated hash code. In general, hash codes with higher entropyhave higher information content and, as such, more accurately identify apacket flow of a network packet.

The flexibility of hash functions have typically been defined by twoparameters: the way in which the hash key is assembled; and theproperties of the hash function. Several trade-offs are often made toimplement flexible hashers by playing on variations of the twoproperties. In general, flexibility in hash key assembly may be betterachieved in software implementations of hashers, while flexible hashfunctions usually involve some form of configurable hardware hasherimplementation. Each aspect of hasher flexibility typically comes withlimitations. For example, software key assemblies have performancelimitations when complex patterns are required to build the hash key (inparticular, when the key assembly is done at bit-level granularity). Asanother example, configurable hardware hash functions have silicon arealimitations due to the configuration logic implementing the base hashingelements, which are typically implemented with exclusive OR (XOR) gates.The limitations appear to be especially significant when a hasher isused for identifying packet flows on very high-speed interfaces (e.g.,10 Gbps or more), mainly due to very short packet periodicity (e.g.,67.2 ns or less).

SUMMARY

According to one aspect of the present disclosure, a technique foranalyzing network packets includes receiving, by a network processor, anetwork packet having a packet header including address and controlinformation. A set of bytes are extracted, using the network processor,from the packet header and a set of input bits for generating a hashcode are derived, using the network processor, from the set of bytes.Finally, the hash code is generated using the input bits.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is illustrated by way of example and is notintended to be limited by the accompanying figures, in which likereferences indicate similar elements. Elements in the figures areillustrated for simplicity and clarity and have not necessarily beendrawn to scale.

FIG. 1 is a diagram of a relevant portion of an exemplary hasher of anetwork processor configured according to various aspects of the presentdisclosure.

FIG. 2 is a diagram of content of an output register of a packet parser(which includes a set of bytes extracted from a network packet header)of the hasher of FIG. 1.

DETAILED DESCRIPTION

As will be appreciated by one of ordinary skill in the art, the presentinvention may be embodied as a method, system, device, or computerprogram product. Accordingly, the present invention may take the form ofan embodiment including hardware, an embodiment including software(including firmware, resident software, microcode, etc.) or anembodiment combining software and hardware aspects that may allgenerally be referred to herein as a circuit, module, or system. Thepresent invention may, for example, take the form of a computer programproduct on a computer-usable storage medium having computer-usableprogram code, e.g., in the form of one or more design files, embodied inthe medium.

Any suitable computer-usable or computer-readable storage medium may beutilized. The computer-usable or computer-readable storage medium maybe, for example, but is not limited to, an electronic, magnetic,optical, electromagnetic, infrared, or semiconductor system, apparatus,or device. More specific examples (a non-exhaustive list) of thecomputer-readable storage medium include: a portable computer diskette,a hard disk, a random access memory (RAM), a read-only memory (ROM), anerasable programmable read-only memory (EPROM) or flash memory, aportable compact disc read-only memory (CD-ROM), an optical storagedevice, or a magnetic storage device. As used herein the term “coupled”includes a direct electrical connection between elements or blocks andan indirect electrical connection between elements or blocks achievedusing one or more intervening elements or blocks.

According to various aspects of the present disclosure, a networkprocessor for generating a hash code for analyzing network packets isconfigured to provide flexibility for the use of different length hashcodes. In one or more embodiments, the network processor is configuredfor rapid computation of a hash code and corresponding identification ofpacket flows. According to the present disclosure, a packet header of anetwork packet includes address and control information that is receivedby a network processor. The network processor extracts a set of bytesfrom the packet header and derives (from the set of bytes) a set ofinput bits for generating a hash code.

In various embodiments, the network processor includes a packet parserand a hash code generator. The packet parser is configured to: receive anetwork packet having a packet header (including address and controlinformation), extract a set of bytes from the packet header; and derivefrom the set of bytes a set of input bits for generating a hash code.The hash code generator is configured to generate a hash code using theinput bits. In general, the hash code generator implements a single hashgenerating function that generates the hash code based on the input bitsextracted from the bytes. Accordingly, without modifying the hashgenerating function, a resulting hash code can be adapted by selectingdifferent bytes from a packet header. This facilitates generating a hashcode having a high entropy, as input bits from the selected bytesusually have a high entropy.

The selection of bytes depends on the usage of a network processorwithin a network structure. For example, at a network destination, adestination address may be identical for certain network protocols. Inthis case, the destination address of the packet header does not usuallyprovide useful information for determining the flow of the networkpacket, i.e., the entropy of the information is low. In contrast, in anetwork processor in an intermediate point of a network connection(e.g., a relay station), a source address and a destination address of anetwork packet are meaningful and can be used for hash code generation.An implementation in a network processor or a system for analyzingpackets can be achieved by implementing a single hash code generator insilicon, so that only a relatively small silicon area is occupied forhash code generation. The flexibility in selecting the bytes can beeasily implemented with relatively low computational effort, such thatnetwork packets can be adequately processed even when high data ratesare required.

According to one or more embodiments, extracting a set of bytes from thepacket header includes extracting bytes from a packet header transportedwithin a network packet. For example, when transmission control protocol(TCP) packets are transported in Internet protocol (IP) packets thepacket headers of both packets are utilized to generate a hash code. Inthis manner, the bytes can be selected from a bigger set of bytes. Inanother embodiment, a set of bytes extracted from a packet header mayinclude one or more of: an Internet protocol (IP) source address; atransmission control protocol (TCP) source port; an multi-protocol labelswitching (MPLS) label; an IP destination address; a TCP destinationport; a reserved area; and protocol information. In general, theextracted bytes identify the destination and the source of networkpackets and provide further header information (where the importance ofeach field depends on the kind of network device in which the networkprocessor is used).

In the event that some of the packet header bytes are not meaningful,other packet header bytes that are meaningful can be used. Bytes from IPpacket headers may include bytes from packet headers that conform toInternet Protocol version 4 (IPv4) or Internet Protocol version (IPv6),depending on which network protocol is implemented. According to one ormore embodiments, extracting the IP source address and/or the IPdestination address may include compressing the IP source address and/orthe IP destination address. For example, when IP addresses arerelatively long and the number of input bits of a hash code generatingalgorithm is relatively small, compression is desirable. Further detailsregarding compression of IPv6 addresses is available in U.S. patentapplication Ser. No. ______ (Attorney Docket No. FR920100059US1)entitled “COMPACTED BINARY IDENTIFIER GENERATION.”

In one or more embodiments, a set of input bits is derived from a set ofbytes. The set of input bits are then used to generate a hash code. Inat least one embodiment, the bytes for forming the input bits areordered from most meaningful to least meaningful. In this case, theentropy of the input bits decreases from one side of the input bits tothe other. This facilitates classifying the bits derived from the bytesaccording to their importance so that properties of the hash codegeneration can be taken into account when arranging the input bits.According to one or more embodiments, deriving (from the set of bytes) aset of input bits for generating a hash code includes eliminatingnon-significant bits from the bytes.

Depending on the protocols used, bytes from the packet header may onlyinclude a certain number of meaningful bits by definition. In this case,the remaining non-meaningful bits of a byte may be filled withpredefined values. It should be appreciated that non-specified bits donot have valuable information (i.e., their entropy is zero) fordetermining the flow of network packets and, as such, non-specified bitsmay be omitted in creating a hash code. For example, non-specified bitsmay be omitted using bit shifting, which requires minimal computationaleffort. Alternatively, non-specified bits may be set or maintained at 0,so that the non-specified bit have no effect in the cascade of XOR gatesin a hasher combinatorial cone.

In at least one embodiment, a hash code is generated with the mostmeaningful bits arranged on one side of the hash code. In thisembodiment, the entropy of the hash code decreases from one side of thehash code to the other. In this case, an entire generated hash code or areduced number of bits from the generated hash code may be used toidentify a flow for a network packet. As the most meaningful bits can bereadily selected from a hash code, a single hash code generator can beused for different purposes. In one or more embodiments, input bits canbe arranged in a particular manner, e.g., according to their entropy, sothat the input bits can be processed (by the hash code generator)according to their importance. In one or more embodiments, input bitsand output bits of a hash code generator are both arranged with the mostimportant bits towards one side of the code.

Referring to FIG. 1, relevant components of a hasher (of a networkprocessor) that are used to generate a hash code are illustrated. Apacket header 1 of a network packet is passed to the network processor.The network processor includes a packet parser 2 and a hash codegenerator (hasher combinatorial cone) 3 coupled to parser 2. Parser 2includes a parser unit 4, a bit masking unit 14, and an output register5. Parser unit 4 is configured to extract bytes from packet header 1.The bytes are predefined and depend on the use of the network processor.With reference to FIG. 2, a packet header included in output register 5may be, for example, a packet header for an IP packet that includes aTCP packet. In this case, extracted bytes may correspond to an IP sourceaddress (IP SA) 6, a TCP source port (TCP SP) 7, a multi-protocol labelswitching (MPLS) label 8, 11, an IP destination address (IP DA) 9, a TCPdestination port (TCP DP) 10, a reserved area 12, and a protocol byte(Prot) 13.

The bytes are passed from parser unit 4 to bit masking unit 14, whichassembles meaningful bits from the bytes as input bits for hash codegenerator 3. The MPLS label (MPLS label 8, MPLS label 11, and reservedarea 12,) includes twenty-four bits (four spare bits and twenty usedbits). Bit masking unit 14 may, for example, replace the fourmeaningless (spare) bits with ‘0’ and assemble the input bitsaccordingly. In one or more embodiments, parser unit 4 arranges thebytes extracted from packet header 1 according to their importance. Forexample, the bytes may be arranged as shown in FIG. 2 starting with IPsource address 6 and followed by TCP source port 7, MPLS label 8, IPdestination address 9, TCP destination port 10, MPLS label 11, reservedarea 12, and protocol byte 13. In one or more embodiments, hash codegenerator 3 is configured to receive one-hundred twenty-eight inputbits, as provided in output register 5. In various embodiments, hashcode generator 3 implements a hash function that is a classicalcombinatorial cone of logic based on XOR gates that combines all128-bits (i.e., the input bits) of output register 5 to produce aresulting 32-bit hash value.

In at least one embodiment, hash code generator 3 is implemented toprovide the most meaningful output bits on the left side of the hashcode, as indicated by the triangular form of hash code generator 3.Arrangement of the output bits is based on the respective arrangement ofthe input bits according to their importance. As such, the hash code canbe (entirely or partially) utilized starting from the side of the mostimportant bits to correctly identify a flow of a network packet. Asmentioned above, depending on the circumstances, different pieces ofinformation may have higher entropy for calculating the hash code.Accordingly, different scenarios can be implemented for assembling theinput bits to hash code generator 3 Flexibility for key assembly isachieved through a distribution bus 15, which is provided as part ofparser unit 4. Distribution bus 15 arranges bytes from packet header 1(that are extracted within parser unit 4) for further processing. In oneor more embodiments, distribution bus 15 is implemented as a pico-codedfinite state machine (FSM). Distribution bus 15 facilitates assemblingraw keys with any combinations of bytes extracted (by packet parser 2)from packet header 1.

For example, information available for key construction may includevarious scenarios, e.g., a 5-tuple format, a 3-tuple format, a 2-tupleformat, a multiprotocol label switching (MPLS) 1 format, an MPLS 2format, and a tunnelled IP-in-IP packet format. The designation andsizes of the various scenario are illustrated in the tables below:

5-Tuple:

SA Source Address 4 Bytes SP Source Port 2 Bytes DA Destination Address4 Bytes DP Destination Port 2 Bytes Proto Protocol 1 Byte

3-Tuple

DA Destination Address 4 Bytes DP Destination Port 2 Bytes ProtoProtocol 1 Byte

2-Tuple

DP Destination Port 2 Bytes Proto Protocol 1 Byte

MPLS 1

Label 2.5 Bytes   SA Source Address 4 Bytes SP Source Port 2 Bytes DADestination Address 4 Bytes DP Destination Port 2 Bytes Proto Protocol 1Byte 

MPLS 2

Label 2.5 BytesTunnelled IP-in-IP packets

SA (1) Inner packet Source Address 4 Bytes SP (1) Inner packet SourcePort 2 Bytes DA (1) Inner packet Destination Address 4 Bytes DP (1)Inner packet Destination Port 2 Bytes Proto (1) Inner packet Protocol 1Byte SA (2) Outer packet Source Address 4 Bytes DA (2) Outer packetDestination Address 4 Bytes

In the disclosed embodiments, bit masking unit 14 and output register 5are implemented inside parser 2. It should be appreciated, however, thatthe functions provided by bit masking unit 14 and output register 5 canbe provided independent, i.e., outside parser 2.

Accordingly, a network processor has been disclosed herein thatadvantageously analyzes network packets using a generated hash code todetermine packet flow.

The flowchart and block diagrams in the figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions.

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of the invention. Asused herein, the singular forms “a,” “an,” and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. It will be further understood that the terms “comprises”and/or “comprising,” (and similar terms, such as includes, including,has, having, etc.) are open-ended when used in this specification,specify the presence of stated features, integers, steps, operations,elements, and/or components, but do not preclude the presence oraddition of one or more other features, integers, steps, operations,elements, components, and/or groups thereof.

The corresponding structures, materials, acts, and equivalents of allmeans or step plus function elements in the claims below, if any, areintended to include any structure, material, or act for performing thefunction in combination with other claimed elements as specificallyclaimed. The description of the present invention has been presented forpurposes of illustration and description, but is not intended to beexhaustive or limited to the invention in the form disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the invention.The embodiment was chosen and described in order to best explain theprinciples of the invention and the practical application, and to enableothers of ordinary skill in the art to understand the invention forvarious embodiments with various modifications as are suited to theparticular use contemplated.

Having thus described the invention of the present application in detailand by reference to preferred embodiments thereof, it will be apparentthat modifications and variations are possible without departing fromthe scope of the invention defined in the appended claims.

1. A method for analyzing network packets, comprising: receiving, usinga network processor, a network packet having a packet header includingaddress and control information; extracting, using the networkprocessor, a set of bytes from the packet header, wherein the set ofbytes is selected based on usage of the network processor within anetwork structure; deriving, using the network processor, from the setof bytes a set of input bits for generating a hash code; and generating,using the network processor, the hash code using the input bits.
 2. Themethod of claim 1, wherein the extracting, using the network processor,a set of bytes from the packet header includes extracting bytes from apacket header transported within the network packet.
 3. The method ofclaim 1, wherein the extracting, using the network processor, a set ofbytes from the packet header includes extracting an IP source addressand an IP destination address from the packet header.
 4. The method ofclaim 3, wherein the extracting an IP source address and an IPdestination address from the packet header includes compressing the IPsource address and the IP destination address.
 5. The method of claim 1,wherein the deriving, using the network processor, from the set of bytesa set of input bits for generating a hash code includes ordering thebytes for forming the input bits from most meaningful to leastmeaningful.
 6. The method of claim 1, wherein the deriving, using thenetwork processor, from the set of bytes a set of input bits forgenerating a hash code includes replacing meaningless bits in the bytes.7. The method of claim 1, wherein the generating, using the networkprocessor, a hash code using the input bits includes generating a hashcode with most meaningful bits arranged on one side of the hash code. 8.A network processor for analyzing network packets, comprising: a packetparser, wherein the packet parser is configured to: receive a networkpacket having a packet header that includes address and controlinformation; extract a set of bytes from the packet header, wherein theset of bytes is selected based on usage of the network processor withina network structure; and derive from the set of bytes a set of inputbits for generating a hash code; and a hash code generator coupled tothe packet parser, wherein the hash code generator is configured togenerate the hash code using the input bits.
 9. The network processor ofclaim 8, wherein the packet header is transported within the networkpacket.
 10. The network processor of claim 8, wherein the packet parseris further configured to extract an IP source address and an IPdestination address from the packet header.
 11. The network processor ofclaim 10, wherein the network processor is further configured tocompress the IP source address and the IP destination address.
 12. Thenetwork processor of claim 8, wherein packet parser is furtherconfigured to order the bytes for forming the input bits from mostmeaningful to less meaningful.
 13. The network processor of claim 8,wherein the packet parser is further configured to replace meaninglessbits in the bytes.
 14. The network processor of claim 8, wherein thehash code generator generates the hash code with most meaningful bitsarranged on one side of the hash code.
 15. A network processor foranalyzing network packets, comprising: a packet parser including a bitmasking unit for replacing meaningless bits, wherein the packet parseris configured to: receive a network packet having a packet header thatincludes address and control information; extract a set of bytes fromthe packet header, wherein the set of bytes is selected based on usageof the network processor within a network structure; and derive from theset of bytes a set of input bits for generating a hash code, wherein theinput bits include at least one replaced meaningless bit; and a hashcode generator coupled to the packet parser, wherein the hash codegenerator is configured to generate the hash code using the input bits,and wherein the packet header is transported within the network packet.16. The network processor of claim 15, wherein the packet parser isfurther configured to extract an IP source address and an IP destinationaddress from the packet header.
 17. The network processor of claim 16,wherein the network processor is further configured to compress the IPsource address and the IP destination address.
 18. The network processorof claim 15, wherein packet parser is further configured to order thebytes for forming the input bits from most meaningful to leastmeaningful.
 19. The network processor of claim 15, wherein the packetparser is further configured to replace the at least one replacedmeaningless bit in the bytes.
 20. The network processor of claim 15,wherein the hash code generator generates the hash code with mostmeaningful bits arranged on one side of the hash code.